WO2007045630A2 - Apparatus, system, and method for implementing protected partitions in storage media - Google Patents
Apparatus, system, and method for implementing protected partitions in storage media Download PDFInfo
- Publication number
- WO2007045630A2 WO2007045630A2 PCT/EP2006/067446 EP2006067446W WO2007045630A2 WO 2007045630 A2 WO2007045630 A2 WO 2007045630A2 EP 2006067446 W EP2006067446 W EP 2006067446W WO 2007045630 A2 WO2007045630 A2 WO 2007045630A2
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- state
- partition
- read
- auto
- protected
- Prior art date
Links
- 238000005192 partition Methods 0.000 title claims abstract description 165
- 238000000034 method Methods 0.000 title claims abstract description 52
- 230000004224 protection Effects 0.000 claims abstract description 126
- 230000007704 transition Effects 0.000 claims abstract description 61
- 238000012545 processing Methods 0.000 claims description 7
- 230000008859 change Effects 0.000 claims description 4
- 238000004590 computer program Methods 0.000 claims 1
- 238000012005 ligant binding assay Methods 0.000 description 35
- 238000010586 diagram Methods 0.000 description 27
- 238000004891 communication Methods 0.000 description 21
- 230000008901 benefit Effects 0.000 description 8
- 230000003287 optical effect Effects 0.000 description 6
- 238000012546 transfer Methods 0.000 description 6
- 230000006870 function Effects 0.000 description 4
- 230000004044 response Effects 0.000 description 4
- 238000012217 deletion Methods 0.000 description 3
- 230000037430 deletion Effects 0.000 description 3
- 239000003999 initiator Substances 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 238000011084 recovery Methods 0.000 description 3
- 230000004075 alteration Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 2
- 230000007547 defect Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 239000000835 fiber Substances 0.000 description 2
- 239000000463 material Substances 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 241000027036 Hippa Species 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000007792 addition Methods 0.000 description 1
- 230000004888 barrier function Effects 0.000 description 1
- 230000002457 bidirectional effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000012937 correction Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000004880 explosion Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 230000010076 replication Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G11—INFORMATION STORAGE
- G11B—INFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
- G11B20/00—Signal processing not specific to the method of recording or reproducing; Circuits therefor
- G11B20/10—Digital recording or reproducing
- G11B20/12—Formatting, e.g. arrangement of data block or words on the record carriers
- G11B20/1217—Formatting, e.g. arrangement of data block or words on the record carriers on discs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0602—Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
- G06F3/062—Securing storage systems
- G06F3/0623—Securing storage systems in relation to content
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0629—Configuration or reconfiguration of storage systems
- G06F3/0637—Permissions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0668—Interfaces specially adapted for storage systems adopting a particular infrastructure
- G06F3/0671—In-line storage system
- G06F3/0673—Single storage device
- G06F3/0674—Disk device
- G06F3/0676—Magnetic disk device
-
- G—PHYSICS
- G11—INFORMATION STORAGE
- G11B—INFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
- G11B27/00—Editing; Indexing; Addressing; Timing or synchronising; Monitoring; Measuring tape travel
- G11B27/10—Indexing; Addressing; Timing or synchronising; Measuring tape travel
- G11B27/19—Indexing; Addressing; Timing or synchronising; Measuring tape travel by using information detectable on the record carrier
- G11B27/28—Indexing; Addressing; Timing or synchronising; Measuring tape travel by using information detectable on the record carrier by using information signals recorded by the same method as the main recording
- G11B27/32—Indexing; Addressing; Timing or synchronising; Measuring tape travel by using information detectable on the record carrier by using information signals recorded by the same method as the main recording on separate auxiliary tracks of the same or an auxiliary record carrier
- G11B27/322—Indexing; Addressing; Timing or synchronising; Measuring tape travel by using information detectable on the record carrier by using information signals recorded by the same method as the main recording on separate auxiliary tracks of the same or an auxiliary record carrier used signal is digitally coded
-
- G—PHYSICS
- G11—INFORMATION STORAGE
- G11B—INFORMATION STORAGE BASED ON RELATIVE MOVEMENT BETWEEN RECORD CARRIER AND TRANSDUCER
- G11B20/00—Signal processing not specific to the method of recording or reproducing; Circuits therefor
- G11B20/10—Digital recording or reproducing
- G11B20/12—Formatting, e.g. arrangement of data block or words on the record carriers
- G11B2020/1264—Formatting, e.g. arrangement of data block or words on the record carriers wherein the formatting concerns a specific kind of data
- G11B2020/1265—Control data, system data or management information, i.e. data used to access or process user data
- G11B2020/1285—Status of the record carrier, e.g. space bit maps, flags indicating a formatting status or a write permission
Definitions
- This invention relates to storage media and more particularly relates to implementing protected partitions in storage media.
- Non-rewritable and non-erasable data may also be referred to as reference data, fixed content data, or Write Once Read Many (WORM) data.
- a disk based storage subsystem may be part of a Storage Area Network.
- the Storage Network Industry Association (SNIA) defines SAN as a network whose primary purpose is the transfer of data between computer systems and storage elements.
- a SAN may comprise a communication infrastructure, which provides physical connections; and a management layer, which organizes the connections, storage elements, and computer systems so that data transfer is secure and robust.
- a SAN may also include a storage system comprising storage elements, storage devices, computer systems, and/or appliances, plus all control software, communicating over a network.
- a storage area network includes a plurality of storage devices, such as tape drives or hard disk drives, connected with a storage or disk controller.
- the disk controller is generally a server that is configured to process read/write requests from hosts or client machines.
- the hosts may be running a variety of operating systems such as Windows®, Linux®, UNIX®, AIX®, z/OS®, etc.
- the storage area network is an ideal solution for providing large amounts of storage and scalable server or storage controller performance.
- AIX and z/OS are trademarks of International Business Machines Corporation in the United States, other countries, or both; Windows is a trademark of Microsoft Corporation in the United States, other countries, or both; Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both; and UNIX is a registered trademark of The Open Group in the United States and other countries.
- a host requests data from the disk controller.
- the disk controller then retrieves the data from the particular storage device that contains the requested data, often referred to as a home location.
- the disk controller then sends the data to the host. If the host modifies the data, the data is sent back to the disk controller which returns the modified data to the home location.
- the host awaits a response from the disk controller indicating the read or write operation has completed.
- the home location often takes the form of a partition on the disk drive.
- a partition further comprises at least one unit of storage of fixed size, or at least one unit of storage of variable size. In one embodiment, the unit of storage of fixed size is a logical block address (LBA) .
- LBA logical block address
- the disk controller may also provide functions such as the ability to provide access by heterogeneous servers, data caching, data availability features such as various RAID implementations and clustering, scalability, virtualization of devices, replication services and non-rewritable and non-erasable storage (WORM) .
- WORM functionality is usually provided by microcode residing outside the storage device or disk drive, such as in the disk controller, which prevents modification, deletions, and additions to the data stored on disk drives.
- the disk drive is usually integrated and enclosed in the subsystem and cannot be removed.
- a storage subsystem providing WORM functionality is also referred to as WORM storage subsystem.
- an apparatus, system, and method that implements protected partitions in hard disk drives.
- an apparatus, system, and method would preferably utilize a standardized interface and not require proprietary hardware or interfaces.
- the apparatus to implement protected partitions is preferably provided with a logic unit containing a plurality of modules configured to functionally execute the necessary steps of protecting partitions.
- a control module configured to communicate with a host device and receive read and write commands for a storage device having at least one partition.
- the control module is located within an enclosure housing the storage device.
- the apparatus also includes a protection module operating within the control module and configured to maintain a plurality of protection states for the partition and a plurality of allowable transitions between the protection states .
- the apparatus includes a check module configured to verify the protection status of partitions and associated logical block addresses of the storage device.
- the apparatus includes a parse module configure to extract the logical block addresses and protection statuses from the read and write command.
- the apparatus includes a write module configured to write data to the storage device and perform protection status transitions of the partition.
- the plurality of protection states include an unprotected state configured to allow the performance of an indefinite number of read/write operations to the partition, and a Write Once Read Many (WORM) protected state configured to protect the partition from any attempted write, erase, and format command.
- the plurality of protection states may include an auto-protected state configured to allow exactly one successful write operation and subsequently convert to a read-only auto-protect state, and the read-only auto-protected state configured to prevent write, erase, and format command once data has been written to the partition.
- the plurality of allowable transitions may include a transition from the unprotected state to one of the following: the unprotected state for normal and repeated read/write operation, the auto-protected state where a partition is automatically protected when all storage units pertaining to the partition have been written, and the WORM protected state where no write to any storage units pertaining to the WORM protected partition is possible.
- the plurality of allowable transitions includes a transition from the auto-protected state to one of the unprotected state or the read-only auto-protected state, and a transition from the read-only auto-protected state to the WORM protected state.
- the storage device may be selected from the group comprising hard disk drives, DVD-R, DVD-RW, DVD-RAM, HD-DVD, Blu-Ray, UDO, CD-R, CD-RW, magneto-optical, phase change, holographic, tape cartridge drives, tape cassette drives, and solid-state media.
- the partition further comprises at least one unit of storage of fixed size, or alternatively at least one unit of storage of variable size.
- the unit of storage of fixed size is a logical block address (LBA) .
- a system to implement protected partitions in storage media comprising: a host device; a storage device coupled with the host, the storage device comprising an enclosure having storage media and a control module; the control module configured to communicate with the host device and receive read and write commands for a storage device having at least one partition; the control module located within the enclosure; and a protection module operating within the control module and configured to maintain a plurality of protection states for the partition and a plurality of allowable transitions between the protection states.
- a method for implementing protected partitions in storage media comprising: communicating with a host device and receiving read and write commands for a storage device having at least one partition; and maintaining a plurality of protection states for the partition and a plurality of allowable transitions between the protection states on a control module located within the storage device.
- the method also includes verifying the protection status of partitions and logical block addresses of the storage device.
- the method includes extracting the logical block addresses and protection statuses from the read and write command. In a further embodiment, the method may include writing data to the storage device and performing protection status transitions of the partition.
- the method also includes allowing transitions from the unprotected state to the unprotected state for normal repeated read/write operation, the auto-protected state, and the WORM protected state. Additionally, the method includes allow transitions from the auto-protected state to one of the unprotected state or the read-only auto-protected state, and the read-only auto-protected state to the WORM protected state.
- the invention provides a signal bearing medium tangibly embodying a program of machine-readable instructions executable by a digital processing apparatus to perform an operation to implement protected partitions in storage media, the operation comprising: communicating with a host device and receiving read and write commands for a storage device having at least one partition; and maintaining a plurality of protection states for the partition and a plurality of allowable transitions between the protection states on a control module located within the storage device.
- the invention provides An apparatus to implement protected partitions in storage media, the apparatus comprising: means for communicating with a host device and receiving read and write commands for a storage device having at least one partition; and means for maintaining a plurality of protection states for the partition and a plurality of allowable transitions between the protection states on a control module located within the storage device.
- Figure 1 is a schematic block diagram illustrating a storage device in accordance with one embodiment of the present invention
- Figure 2 is a schematic block diagram illustrating Logical Block Addressing in accordance with the prior art
- FIG. 3 is a schematic block diagram illustrating a control module in accordance with one embodiment of the present invention.
- Figure 4 is a schematic block diagram illustrating a plurality of protection states in accordance with one embodiment of the present invention
- Figure 5 is a schematic block diagram illustrating a mode select command in accordance with one embodiment of the present invention
- Figure 6 is a schematic block diagram illustrating a mode sense command in accordance with one embodiment of the present invention.
- Figure 7 is a schematic block diagram illustrating a mode page in accordance with one embodiment of the present invention.
- Figure 8 is a schematic flow chart diagram illustrating a method for implementing allowable protection state transitions in accordance with one embodiment of the present invention
- Figure 9 is a schematic flow chart diagram illustrating one embodiment of a method for the processing of write commands
- Figure 10 is a schematic block diagram illustrating a write command in accordance with one embodiment of the present invention.
- Figure 11 is a schematic block diagram illustrating a medium partition mode page in accordance with one embodiment of the present invention.
- Figure 12 is a schematic block diagram illustrating a method for protecting the control module 106 from intentional corruption of storage devices in accordance with one embodiment of the present invention.
- modules may be implemented as a hardware circuit comprising custom VLSI circuits or gate arrays, off-the-shelf semiconductors such as logic chips, transistors, or other discrete components.
- a module may also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices or the like.
- Modules may also be implemented in software for execution by various types of processors.
- An identified module of executable code may, for instance, comprise one or more physical or logical blocks of computer instructions which may, for instance, be organized as an object, procedure, or function. Nevertheless, the executables of an identified module need not be physically located together, but may comprise disparate instructions stored in different locations which, when joined logically together, comprise the module and achieve the stated purpose for the module.
- a module of executable code may be a single instruction, or many instructions, and may even be distributed over several different code segments, among different programs, and across several memory devices.
- operational data may be identified and illustrated herein within modules, and may be embodied in any suitable form and organized within any suitable type of data structure. The operational data may be collected as a single data set, or may be distributed over different locations including over different storage devices, and may exist, at least partially, merely as electronic signals on a system or network.
- Reference to a signal bearing medium may take any form capable of generating a signal, causing a signal to be generated, or causing execution of a program of machine-readable instructions on a digital processing apparatus.
- a signal bearing medium may be embodied by a transmission line, a compact disk, digital-versatile disk, a magnetic tape, a Bernoulli drive, a magnetic disk, a punch card, flash memory, integrated circuits, or other digital processing apparatus memory device.
- FIG. 1 is a schematic block diagram illustrating a storage device 100 in accordance with one embodiment of the present invention.
- the storage device 100 may comprise an enclosure 102, storage media 104, a control module 106 and a communication interface 108.
- the storage media 104 may include, but is not limited to, magnetic, optical, and solid state storage media. Examples of magnetic storage media 104 include, but are not limited to, hard disk drives, and tape drives.
- the communication interface 108 may include, but is not limited to, HVD or LVD SCSI, fiber channel, ESCON, FICON and RS-232.
- optical media examples include DVD-R (Digital Versatile Disk -
- DVD-RW DVD Rewritable
- DVD-RAM DVD Random Access Memory
- HD-DVD High Definition DVD
- Blu-Ray UDO (Ultra Density Optical)
- CD-R Compact Disk - Write Once
- CD-RW CD Rewritable
- MO magneto-optical
- PC phase change
- solid state storage media include volatile memory such as SDRAM, and non-volatile memory such as flash memory.
- the control module 106 is configured to receive input and output requests (hereinafter "I/O requests or commands) through the communication interface 108 from a host and subsequently perform the I/O request.
- the control module 106 may be operatively coupled with the storage media 102 within the enclosure 102.
- the control module 106 may be configured to control a plurality of storage media 104 over a network.
- One such implementation includes a storage area network (not shown) .
- the control module 106 is configured to execute I/O requests, or read/write commands, that access the smallest unit of storage of the storage media 104.
- the smallest unit of storage is the Logical Block Address (LBA) .
- Logical block addressing translates physical locations of the storage media into addresses that can be used by the host. For example, logical block addressing translates the cylinder, head, and sector specifications of a hard disk drive into addresses that can be used by an operating system or basic input/output system (BIOS) .
- BIOS basic input/output system
- control module 106 may connect to a host via a communication link and similarly to the storage media 104.
- the storage media 104 may comprise disk drives, tape drives, and/or optical drives via an alternative communication link.
- the communication interface 108 is further configured to receive the I/O request and pass the I/O request to the control module.
- the control module 106 may be configured to perform protocol conversion from ESCON to SCSI or from FICON to SCSI. Furthermore, it may be configured to group the attached storage media 104 into logical drives or volumes.
- the control module 106 may also offer advanced functions, such as Remote Volume Mirroring, PPRC (Peer-to-Peer Remote Copy) , XRC (Extended Remote Copy) , Snapshot, Flashcopy, etc.
- Figure 2 is a schematic block diagram illustrating Logical Block Addressing 200 in accordance with the prior art.
- Logical block addressing 200 may be used in fixed block architecture (FBA) systems such as hard disk drives, optical disk drives, and removable storage drives.
- FBA fixed block architecture
- I/O is done by executing read/write commands that access the LBA.
- a LBA references a fixed amount of data.
- Storage media 104 may comprise millions of LBAs, depending upon the capacity of the storage media.
- Figure 2 illustrates a plurality of LBA, each LBA represented as a single box 202.
- LBA may be written in any order, and need not be written sequentially from a first LBA 202a, to a last LBA 202b.
- the last LBA 202b may also be called the maximum LBA.
- the capacity of the storage media 104 disk drive is determined by the number of LBAs on the medium and the fixed size of the LBAs 202. For example, assuming a typical LBA size of 512 bytes, a hard disk drive with 10, 000, 000 LBAs accounts for a capacity of 5.12 billion bytes.
- a partition 204 is an isolated portion of the storage media 104 that may behave as a separate storage media 104.
- the partition 204 comprises at least one LBA 202.
- partition 204a may comprise three LBAs 202
- partition 204b comprises one LBA 202
- partition 204c comprises two LBAs 202.
- the partition 204 may comprise millions of LBAs 202.
- Storage media 104 may comprise multiple partitions with each partition 204 having a different protection state.
- partitions 204 never overlap, meaning that any two partitions do not contain the same LBA 202.
- Figure 3 is a schematic block diagram illustrating the control module 106 in accordance with one embodiment of the present invention.
- the control module 106 comprises a communication module 302, a write module 304, a parse module 306, a protection module 308, and a check module 310.
- the communication module 302 is configured to communicate with the host via the communication interface 108 in order to receive read/write commands and subsequently pass write commands to the write module 304 or return data to the host as a result of a read command.
- the parse module 306 is configured to extract logical block addresses and protection statuses from the read/write command.
- the check module 310 is configured to verify the protection status of partitions 204 and LBAs 202 of the storage media 104.
- the protection module 308 is configured with a plurality of protection states and allowable transitions between the protection states. The protection module 308 will be discussed in greater detail below with reference to Figure 4.
- the write module 304 is configured to write data to the storage media 104 and perform protection status transitions.
- FIG. 4 is a schematic block diagram illustrating a plurality of protection states in accordance with one embodiment of the present invention.
- the protection states may implemented within the protection module 308.
- the protection module 308 may comprise an unprotected state 402, a Write Once Read Many (WORM) protected state 404, an auto-protected state 406, and a read-only auto-protected state
- WORM Write Once Read Many
- the unprotected state 402 may be the default factory setting for the entire storage media 104, and allows the performance of an indefinite and repeated number of read/write operations to any LBA 202.
- This unprotected state 402 remains set for those areas on the storage media 104 that are not explicitly configured with the WORM state 404 or the auto-protected state 406.
- the WORM state 404 is configured to protect any partition 204 associated with "WORM Protected” from any attempted write, erase, or format operation.
- the auto-protected state 406 allows any LBA 202 in an "auto-protected" partition 204 to be written exactly once, and after successfully completing the write operation the LBAs 202 will automatically transition to the "read-only auto-protect” state 408. The remaining LBAs 202 in the partition that have not been written will remain in auto-protected state 406.
- the read-only auto-protect state 408 is configured to prevent any write, erase, and format operations once the LBA 202 has been written.
- Arrows 412 represent rules illustrating allowable state transitions of the protection state for a partition 204.
- the protection module 308 is configured to allow a partition 204 having an unprotected state 402 to allow rewriting of the data as indicated by arrow 412a.
- the unprotected state 402 may be transitioned 412b to a WORM protected state 404 by issuing an appropriate state transition command which will be explained below.
- the unprotected state may also be changed 412c to the auto-protected state 406 as a result of a state transition command.
- the WORM protected state 404 may be configured to not allow any state transitions.
- the auto-protected state 406 may be configured to allow exactly one successful write command to be issued to the partition 204.
- the protection state for an auto-protected partition 406 will transition 412d to the read-only auto-protected state 408.
- the written LBAs 202 While there are unwritten LBAs 202, the written LBAs 202 are marked as read-only auto protected 408, while the unwritten LBAs 202 remain in the auto-protected state 406.
- all LBAs 202 in an auto-protected partition have been written, all LBAs 202 within the partition become 412e WORM protected 404.
- a partition with the auto-protected state 406 may also be changed to the unprotected state 402 by sending an appropriate state transition command 412f. This, for example, enables correction of unwanted state changes, e.g. if the state of a partition has been set from unprotected to auto-protected by mistake.
- a partition is in the WORM protected state 404 or read-only auto-protected state 408, the data cannot be overwritten, deleted or otherwise manipulated. Furthermore, the WORM protection state 404 and the read-only auto-protected state 408 cannot be reset once assigned. This means that any I/O requests for write, erase or format operations addressing any LBA pertaining to WORM protection state 404 or read-only auto-protected state are rejected by the control module 106.
- a LBA 202 in an auto-protected 406 partition remains auto-protected until it is written. If at least one LBA 202 within the auto-protected 406 partition has been written the partition changes to read-only auto-protected 408. If the last LBA 202 in an auto-protected partition 406 is written, the read-only auto-protected 408 partition will transition to a WORM 404 protected partition.
- the protection states 402, 404, 406, 408 may be represented in inquiry commands as binary values, denoted by a b suffix, or decimal values (shown in parentheses) .
- the unprotected state 402 may be represented as 00b (0 decimal)
- the WORM state 404 may be represented as 01b (1 decimal)
- the auto-protected state 406 may be represented as 10b (2 decimal)
- the read-only auto protected state 408 may be represented as lib (3 decimal) .
- the protection module 308 includes a virtually deleted protected state (not shown) .
- This virtually deleted state may be configured to denote that the WORM or auto-protected data has been "virtually deleted.”
- the virtually deleted data would still be read-accessible by the host for historical purposes, but the data would be earmarked as “virtually deleted” for whatever reason, such as the data is considered out-of-date or no longer relevant.
- FIG. 5 is a schematic block diagram illustrating one embodiment of a mode select command 500 in accordance with the SCSI-3 Interface Standard.
- the illustrated mode select command 500 is the SCSI (Small Computer System Interface) command with command code 15h 502.
- the mode select command 500 is given herein by way of example for a state transition command.
- the mode select command 500 may be used to initiate the transition 412b from an unprotected state 402 to WORM protected state 404 or 412c from unprotected state 402 to auto-protected state 406 or 412f from auto-protected state 406 to unprotected state 402.
- the mode select command 500 may be initiated by the host system (subsequently also called initiator) and received by the control module 106 via the communication interface 108 of the storage device 100.
- Mode select command 500 with command code 15h 502 provides a means for the host to specify the parameter list length 504 and logical unit 506 of the target storage device.
- the parameter list length 504 specifies the size of the mode page to be transferred in bytes.
- the Mode Select command 500 is always succeeded by a mode page sent from the host system to the storage device 100.
- FIG. 6 is a schematic block diagram illustrating a mode sense command 600 in accordance with one embodiment of the present invention.
- the mode sense command 600 allows the host to retrieve or inquire mode page information, such as from a mode page from the storage device 100.
- the mode sense command 600 may be initiated by the host system (subsequently also called initiator) and received by the control module 106 via the communication interface 108 of the storage device 100.
- the command code 602 of the SCSI Mode Sense command is IAh.
- the mode sense command 600 allows the host to specify a page code 604, and an allocation length 606, which in turn specifies the maximum returned data size.
- Page code 604 specifies the page code of the mode page to be retrieved, and logical unit 608 of the target storage device.
- the allocation length specifies the length of the mode page. As a result of the mode sense command 600 the storage device receiving it will return the appropriate mode page.
- Figure 7 is a schematic block diagram illustrating a mode page 700 in accordance with one embodiment of the present invention.
- Allocation length 606 of Figure 6 specifies the number of bytes to be transferred from the storage media 104 to the host as result of the mode sense command 600, this is the size of the mode page 700.
- the mode sense command 600 will allow the host to obtain the protection state of a partition or an individual LBA.
- the mode page 700 sent by storage device as a response to the mode sense command 600, allows the host system to inquire the state of a partition or LBA. Not all fields in the mode page 700 are used by the mode sense command. For example if the mode sense command 600 field 604 is set to ODh specifying for mode page code ODh the storage device may return the mode page 700 with the following characteristic: field 702 is set to ODh, field 704 is set to 17h, field 705 is set to 1 if the storage device is capable of supporting WORM partitions, field 706 is set to 1 if at least one protected partition is activated, field 708 return the number of protected partitions which exist within the storage device, field 710 returns the number of the partition where the subsequent fields 711, 712 and 713 apply to, field 711 specifies the start address (or LBA) of the partition, field 712 outlines the end address of the partition and field 713 returns the protection status of that partition state which is one of unprotected 00b, WORM protected 01b, auto-protect
- the mode select and mode sense command can be used in combination to make an inquiry of the protection parameters such as the starting and ending address (LBA) and protection state of a particular partition.
- the sequence starts with sending a mode select command 500 specifying 15h in field 502 and 17h in field 504 and the logical unit address of the storage device in field 506.
- mode page 700 is sent with field 710 set to the number of the partition for which the information is requested, and all other fields in mode page 700 are set to 0Oh indicating that this is not a state transition.
- These two commands are sent from the host (initiator) to the storage device.
- the host then sends a mode sense command 600 with field 602 set to IAh, field 604 set to ODh and field 606 set to 17h indicating the expected length of the mode page.
- Field 608 is set to the address of the storage device.
- the storage device returns mode page 700 where field 702 is set to ODh, field 704 is set to 17h, field 705 is set to 1 if the storage device is capable of supporting WORM partitions, field 706 is set to 1 if at least one protected partition is activated, field 708 returns the number of protected partitions which exist within the storage device, and field 710 returns the number of the partition for which the information is requested. In one embodiment, this number may be the same number which was sent previously.
- Field 711 specifies the start address (or LBA) of the partition
- field 712 outlines the end address of the partition
- field 713 returns the protection status of that partition state which is one of unprotected 00b, WORM protected 01b, auto-protected 10b or read-only auto-protected lib.
- the mode pages are used bidirectionally between the storage device and the host system.
- the host system uses the mode page 700 in association with a MODE SELECT command to initiate a state transition.
- the host system also uses this mode page 700 in association with a MODE SENSE command to inquiry the status of a partition or LBA.
- the storage device derives the protection state for the partition (s) from the mode page. Therefore the mode pages are stored in the storage device.
- the page code for the protected partition mode page is exemplary set to ODh.
- the page code 702 indicates that a protected partition is to be set. This is the unique page code which is used by the host system to initiate state transitions or inquiry state transitions.
- the page code of the protected partition mode page is exemplary set to ODh.
- the field 704 or the mode page 700 defines the length of this mode page in bytes, for this example it is set to 25 bytes.
- the field WORM 705 indicates whether or not the WORM Protection Mechanism is supported by the product and is only used for to inquiry protection states.
- the field Act 706 indicates at least one Protected Partition is activated. This field is also used with an inquiry command operation. If this field is set to "0" there are no protected partitions set. Otherwise, there are protected partitions set on this disk drive .
- the field Maximum Number of Partitions 708 denotes the maximum number of partitions, that can be configured with a start and end address, e.g. an LBA address. This field is used with the inquiry operation. This is a product specific value and is usually assigned during manufacturing of the storage device. This value must not exceed FFFEh. With the field protected partition 710 an existing partition can be specified. Setting this field to a value of "0" specifies all partitions. A value of FFFFh indicates that the information for a particular LBA as specified in field 711 is to be returned.
- the starting boundary 711 indicates the LBA at which this partition subject to the state transition or inquiry operation starts.
- the ending boundary 712 specifies at which LBA this partition subject to the state transition or inquiry operation ends.
- the field 711 and 712 shall be greater than 0 and the ending boundary 712 must be equal or greater than the Starting boundary 711.
- the protection status 713 specifies the protection status for this partition state which is one of either unprotected 00b, WORM protected 01b, auto-protected 10b or read-only auto-protected lib.
- a protection status may be configured for a single LBA or a range of LBA based on the allowable transitions in figure 4. Every consecutive series of LBAs that are to be associated with a protection status of either 00b, 01b, 10b, or lib is a protected partition. Hence, a protected partition may consist of any number of LBAs, from 1 to the maximum number of LBAs on the medium.
- control module 106 is configured to receive existing SCSI commands, such as mode select 500 and mode sense 600 in order to create partitions with a WORM protected state 404 or auto-protected state 406, or retrieve the partition state that may be an unprotected state 402, a WORM protected state 404, an auto-protected state 406 or a read-only auto-protected state 408.
- the mode page 700 includes information 710, 711, 712, 713 about a partition and the protection parameters such as the range of LBAs and protection status to be set.
- the protection module 308 may be configured to utilize the allowable states 402, 404, 406, 408 in accordance with the creation and manipulation of partitions.
- Figure 7 gives by way of example mode page 700 code ODh 702 as one embodiment to implement the present invention.
- mode page 700 is used bidirectional between the storage device 100 and the host.
- the host may utilize the mode page 700 in association with a mode select 500 command to create partitions, i.e. "to select the mode.”
- the host uses this mode page 700 in association with a mode sense 600 command to specify a partition for which the protection state 402,
- the control module 106 may also use the mode page 700 to obtain the data residing in the partition and the corresponding protection state 402, 404, 406, 408 and also to return it when requested to the host.
- FIG. 8 is a schematic flow chart diagram illustrating a method 800 for implementing allowable protection state transitions in accordance with one embodiment of the present invention.
- the method 800 starts 802 and the communication module 302 of the control module 106 receives 804 the mode select command 500 and the mode page 700 via interface 108.
- the parse module 306 then extracts 806 the LBAs and the new protection state from the mode page 700. Extracting 806 the LBAs and the protection state may comprise generating a list of LBAs and the new protection state.
- the check module 310 then verifies the actual protection states of those LBAs being obtained. In one embodiment, the actual state is the protection state the storage media 104 has associated with each requested LBA.
- the check module 310 then obtains 808 the actual protection states for the list of LBAs extracted from the command.
- the protection module 308 compares the new protection state with the actual protection state and determines if the status transition is allowable 810.
- the allowable transitions are predetermined and defined as described above with reference to Figure 4. If the transition to the new protection state is allowed 810 for each LBA extracted 804 from the mode page, the write module 304 stores 812 the new protection state and the method 800 ends 814 upon the communication module 302 returning a success response to the host. However, if the transition is not allowed 810 for any of the LBAs, the protection module 308 prevents the transition and the communication module 302 returns 813 an error such as a SCSI check condition status to the host. In one embodiment, the error may be an "abnormal end of task," or abend, error message. The method 800 then ends 814.
- the storage media 104 may be configured to store the information given by the mode select command 500 in an internal memory which may be part of the check module 310. For example, with an affordable 1 MB memory chip the information of approximately 40,000 protection partitions may be stored. This internal memory allows a fast access to this data for subsequent operations, such as processing write commands.
- the protection partition information may be periodically written to the reserved area on the storage media 104, typically during idle time.
- FIG. 9 is a schematic flow chart diagram illustrating one embodiment of a method 900 for the processing of write commands.
- the method 900 begins 902 and the communication module 302 receives 904 a write command via the communication interface 108.
- the parse module 306 then obtains 906 all command addresses (LBAs) from the write command such as write command 1000.
- the command addresses comprise a starting LBA where the data is to be written to, as well as the transfer length, which indicates the number of sequential LBAs to be written.
- the check module 310 then obtains 908 the actual protection states for the command addresses (LBAs) .
- the LBAs obtained 906 from the write command 1000 may be referred to as "CMD_LBA.”
- the protection module 308 compares the addresses from the command with the corresponding protection states on the storage media 104. If the protection module 308 finds that the CMD_LBA correspond 910 to WORM-protected areas or read-only (RO) auto-protected areas, the protection module 308 prevents the write command and the communication module 302 returns 911 an error message, and the method 900 ends 912.
- the error message may comprise the abend error message described above.
- the write module 304 writes 914 the data to the storage media 104. If the write was not successful 916, then the control module 106 starts an error recovery process 918.
- Determining the success of a write could be, in one embodiment, made by performing a write-ve ⁇ fication or reading of the freshly written data. If the write was successful 916 the protection module 308 determines 920 if the freshly written data was written to an auto-protected partition 406. If not, the method 900 ends 912. Alternatively, if so, the write module 304 is configured to determine 922 if the partition is full. The partition is full if all LBAs pertaining to that partition are in state read-only auto-protected 408. This information is obtained from the check module 310.
- the write module 304 changes 924 the protection state of the partition to WORM-protected 404. If the partition is not full, the write module 304 changes 926 the protection status of the ]ust-w ⁇ tten LBAs and the partition itself to read-only auto-protect 408. The method 900 then ends 912.
- FIG 10 is a schematic block diagram illustrating a write command 1000 having a logical unit number (LUN) 1002 in accordance with one embodiment of the present invention.
- the write command 1000 may also include a starting LBA 1004, bytes 2-5, and a transfer length 1006, bytes 7-8.
- the CMD_LBAs are obtained from the starting LBA 1004 and the transfer length 1006 divided by the LBA size plus one is equivalent to the ending LBA for that write command 1000.
- the logical unit numbers 1002 inherent in every SCSI interface may be used to sort rew ⁇ teable data from WORM data.
- rewritable data I/O 402 may be sent across a first logical unit number (LUN-O) of the communication interface 108 of the storage device 100.
- Auto-protected 406 data I/O could be sent across LUN-2 of the same communication interface 108 of the same storage device 100.
- WORM protected 404 I/O could be sent across LUN-3 of the same communication interface 108 of the same storage device 100.
- Data sent through LUN-O may be saved on a different partition that that of the data of LUN-2 and LUN-3.
- FIG 11 is a schematic block diagram illustrating a medium partition mode page 1100 in accordance with one embodiment of the present invention.
- Mode page 1100 is designated by page code Hh 1101.
- the control module 106 may be easily adapted to control single-reel tape cartridges and dual-reel tape cassettes.
- a tape cartridge or cassette can have multiple partitions which may be managed from the host via mode set commands.
- the protection state can be set to (a) unprotected, (b) WORM protected, and (c) auto-protected.
- the mode pages may be used to transfer information about the protection state from the host to the tape drive.
- Figure 11 illustrates the medium partition mode page 1100, according to INCITS T10/1434-D.
- Two bits 1104, 00b - Hb of the reserved field 1102, which have been previously discussed, can be used to denote the protection state for the partition.
- the Medium Format Recognition field 1106 may be used to denote the protection state, especially if tape is being used as the storage medium.
- a scheme can be incorporated which shows the protection state of a particular partition encoded in the byte and bits.
- device drivers that convert the SCSI mode sense and mode select commands to ATA or IDE commands, for example, may be developed to extend the present invention to non-SCSI devices.
- the tape drive may store the protection state for a partition and for each logical block in that partition in the initialization area for each partition of each removable tape cartridge or cassette.
- the protection state for each partition may be stored in both the initialization area of the tape cartridge or cassette and in cartridge or enclosure memory.
- Figure 12 is a schematic block diagram illustrating one embodiment of a method 1200 for protecting the control module 106 from intentional corruption of storage devices 100.
- An example of intentional corruption of storage devices 100 would be someone intentionally taking out a disk pertaining to a WORM protected entity and modifying the data contained within.
- the method 1200 starts 1202 and the control module 106 detects 1204 that storage media 104 is broken.
- control module 106 Upon detecting 1204 a storage media 104 failure, the control module 106 is configured to start 1206 appropriate error recovery and posts an error message If no failure has been detected 1204 the method 1200 continuously checks for disk failures.
- appropriate error recovery in a RAID system is, for example, to rebuild the RAID.
- checking 1210 for the same disk comprises comparing the unique serial number and manufacturer ID of the storage device 100. If the disk is not the same disk as was previously removed, the control module 106 considers this a new disk and integrates 1216 the disk.
- the control module 106 increments 1220 a counter.
- the counter is configured to maintain the number of incorrect password attempts. If the counter is greater 1222 than a predefined maximum, the control module 106 will isolate the storage media 104 and return 1224 an error state. The error may denote a state where an unauthorized attempt to manipulate the data has been detected and eliminated. If the counter is not greater 1222 than the maximum, the control module 106 again attempts to obtain the password 1212 from the user. When the passwords are validated 1214, the control module 106 will integrate 1216 the disk.
- a rebuild will start. If the disk is the same as before the controller module 106 will attempt to perform diagnostics with the disk and scan the medium for possible defects. If no defects are found the data of the disk is considered valid and so the integration might not require a rebuild. However, if the disk is 1210 not the same, the control module 106 integrates 1216 the disk and considers it a new empty disk. This will require a rebuild. The method 1200 then ends 1226.
- the present invention may be embodied in other specific forms without departing from its spirit or essential characteristics.
- the SCSI commands described herein could be implemented over a Fibre Channel ("FC") physical layer.
- FC Fibre Channel
- other protocols such as FICON, Ethernet, Gigabit Ethernet, Infiniband, TCP/IP, iSCSI, ATA, SATA, and the like, could be used without limitation.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Human Computer Interaction (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
An apparatus, system, and method are disclosed for implementing protected partitions in storage media. The apparatus includes a control module configured to communicate with a host and receive read/write commands for a storage device, and a protection module operating within the control module and configured to maintain a plurality of protection states for the partition and a plurality of allowable transitions between the protection states. The system includes the apparatus, a host device, and a storage device coupled with the host, the storage device including an enclosure having storage media and a control module. The method includes communicating with a host device and receiving read and write commands for a storage device having at least one partition, and maintaining a plurality of protection states for the partition and a plurality of allowable transitions between the protection states on a control module located within the storage device.
Description
APPARATUS, SYSTEM, AND METHOD FOR IMPLEMENTING PROTECTED PARTITIONS IN STORAGE MEDIA
BACKGROUND OF THE INVENTION
FIELD OF THE INVENTION
This invention relates to storage media and more particularly relates to implementing protected partitions in storage media.
DESCRIPTION OF THE RELATED ART
The explosion of data created by e-business is making storage a strategic investment priority for companies of all sizes. As storage takes precedence, a major concern has emerged: the need to archive data in a non-rewritable and non-erasable manner. This need is based in part on the need to meet the legal requirements of the management of financial data, such as required by the Securities and Exchange Commission and HIPPA, as well as the archival of court records, customer records, and other long-lived information. Traditionally, optical media has been used to store date in non-rewritable and non-erasable form. Non-rewritable and non-erasable data may also be referred to as reference data, fixed content data, or Write Once Read Many (WORM) data.
Information technology providers are increasingly migrating WORM data to disk based storage subsystems due to the constantly dropping price and increasing storage capacity of the disks in the storage subsystems. A disk based storage subsystem may be part of a Storage Area Network. The Storage Network Industry Association (SNIA) defines SAN as a network whose primary purpose is the transfer of data between computer systems and storage elements. A SAN may comprise a communication infrastructure, which provides physical connections; and a management layer, which organizes the connections, storage elements, and computer systems so that data transfer is secure and robust. A SAN may also include a storage system comprising storage elements, storage devices, computer systems, and/or appliances, plus all control software, communicating over a network.
Commonly, a storage area network includes a plurality of storage devices, such as tape drives or hard disk drives, connected with a storage or disk controller. The disk controller is generally a server that is
configured to process read/write requests from hosts or client machines. The hosts may be running a variety of operating systems such as Windows®, Linux®, UNIX®, AIX®, z/OS®, etc. In large computing environments, the storage area network is an ideal solution for providing large amounts of storage and scalable server or storage controller performance. (AIX and z/OS are trademarks of International Business Machines Corporation in the United States, other countries, or both; Windows is a trademark of Microsoft Corporation in the United States, other countries, or both; Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both; and UNIX is a registered trademark of The Open Group in the United States and other countries.)
Typically, in a storage area network environment, a host requests data from the disk controller. The disk controller then retrieves the data from the particular storage device that contains the requested data, often referred to as a home location. The disk controller then sends the data to the host. If the host modifies the data, the data is sent back to the disk controller which returns the modified data to the home location. Typically, the host awaits a response from the disk controller indicating the read or write operation has completed. The home location often takes the form of a partition on the disk drive. A partition further comprises at least one unit of storage of fixed size, or at least one unit of storage of variable size. In one embodiment, the unit of storage of fixed size is a logical block address (LBA) .
The disk controller may also provide functions such as the ability to provide access by heterogeneous servers, data caching, data availability features such as various RAID implementations and clustering, scalability, virtualization of devices, replication services and non-rewritable and non-erasable storage (WORM) . WORM functionality is usually provided by microcode residing outside the storage device or disk drive, such as in the disk controller, which prevents modification, deletions, and additions to the data stored on disk drives. The disk drive is usually integrated and enclosed in the subsystem and cannot be removed. A storage subsystem providing WORM functionality is also referred to as WORM storage subsystem.
Even though WORM storage subsystems are becoming more and more accepted as a legal means of archiving reference data, there remains a security concern: the data on the disk drive is inherently rewritable and erasable. The only protections preventing the alteration or deletion of
archived data are provided by the controller microcode, which does not allow modifications or deletions, and the physical protection of the disk drives, which are enclosed in a lockable rack or cabinet. When a disk drive is removed from the storage subsystem the data on that disk drive is no longer secure and may be overwritten, deleted or otherwise manipulated. To prevent this, the data can be formatted in a special way to make the alteration of the data more difficult, however, it is still possible to decode the format and manipulate the data. This puts the integrity of the archived data at more risk than in the past, when the physical nature of the medium provided a natural barrier to the modification of the data. Furthermore, current WORM systems typically depend on proprietary interfaces to the host computer or disk controller, which may introduce problems with the existing information technology infrastructure .
SUMMARY OF THE INVENTION
There is preferably provided an apparatus, system, and method that implements protected partitions in hard disk drives. Beneficially, such an apparatus, system, and method would preferably utilize a standardized interface and not require proprietary hardware or interfaces.
The apparatus to implement protected partitions is preferably provided with a logic unit containing a plurality of modules configured to functionally execute the necessary steps of protecting partitions.
According to a first aspect, there is provided a control module configured to communicate with a host device and receive read and write commands for a storage device having at least one partition. The control module is located within an enclosure housing the storage device. The apparatus also includes a protection module operating within the control module and configured to maintain a plurality of protection states for the partition and a plurality of allowable transitions between the protection states .
In one embodiment, the apparatus includes a check module configured to verify the protection status of partitions and associated logical block addresses of the storage device.
In one embodiment, the apparatus includes a parse module configure to extract the logical block addresses and protection statuses from the
read and write command. In a further embodiment, the apparatus includes a write module configured to write data to the storage device and perform protection status transitions of the partition.
In one embodiment, the plurality of protection states include an unprotected state configured to allow the performance of an indefinite number of read/write operations to the partition, and a Write Once Read Many (WORM) protected state configured to protect the partition from any attempted write, erase, and format command. Additionally, the plurality of protection states may include an auto-protected state configured to allow exactly one successful write operation and subsequently convert to a read-only auto-protect state, and the read-only auto-protected state configured to prevent write, erase, and format command once data has been written to the partition.
In one embodiment, the plurality of allowable transitions may include a transition from the unprotected state to one of the following: the unprotected state for normal and repeated read/write operation, the auto-protected state where a partition is automatically protected when all storage units pertaining to the partition have been written, and the WORM protected state where no write to any storage units pertaining to the WORM protected partition is possible. In a further embodiment, the plurality of allowable transitions includes a transition from the auto-protected state to one of the unprotected state or the read-only auto-protected state, and a transition from the read-only auto-protected state to the WORM protected state.
In one embodiment the storage device may be selected from the group comprising hard disk drives, DVD-R, DVD-RW, DVD-RAM, HD-DVD, Blu-Ray, UDO, CD-R, CD-RW, magneto-optical, phase change, holographic, tape cartridge drives, tape cassette drives, and solid-state media. In one embodiment, the partition further comprises at least one unit of storage of fixed size, or alternatively at least one unit of storage of variable size. In one embodiment, the unit of storage of fixed size is a logical block address (LBA) .
According to a second aspect, there is provided a system to implement protected partitions in storage media, the system comprising: a host device; a storage device coupled with the host, the storage device comprising an enclosure having storage media and a control module; the control module configured to communicate with the host device and receive read and write commands for a storage device having at least one
partition; the control module located within the enclosure; and a protection module operating within the control module and configured to maintain a plurality of protection states for the partition and a plurality of allowable transitions between the protection states. According to a third aspect, there is provided a method for implementing protected partitions in storage media, the method comprising: communicating with a host device and receiving read and write commands for a storage device having at least one partition; and maintaining a plurality of protection states for the partition and a plurality of allowable transitions between the protection states on a control module located within the storage device.
In one embodiment, the method also includes verifying the protection status of partitions and logical block addresses of the storage device.
In one embodiment, the method includes extracting the logical block addresses and protection statuses from the read and write command. In a further embodiment, the method may include writing data to the storage device and performing protection status transitions of the partition.
The method also includes allowing transitions from the unprotected state to the unprotected state for normal repeated read/write operation, the auto-protected state, and the WORM protected state. Additionally, the method includes allow transitions from the auto-protected state to one of the unprotected state or the read-only auto-protected state, and the read-only auto-protected state to the WORM protected state.
According to a fourth aspect, the invention provides a signal bearing medium tangibly embodying a program of machine-readable instructions executable by a digital processing apparatus to perform an operation to implement protected partitions in storage media, the operation comprising: communicating with a host device and receiving read and write commands for a storage device having at least one partition; and maintaining a plurality of protection states for the partition and a plurality of allowable transitions between the protection states on a control module located within the storage device.
According to a fifth aspect, the invention provides An apparatus to implement protected partitions in storage media, the apparatus comprising: means for communicating with a host device and receiving read and write commands for a storage device having at least one partition; and means for
maintaining a plurality of protection states for the partition and a plurality of allowable transitions between the protection states on a control module located within the storage device.
Reference throughout this specification to features, advantages, or similar language does not imply that all of the features and advantages that may be realized with the present invention should be or are in any single embodiment of the invention. Rather, language referring to the features and advantages is understood to mean that a specific feature, advantage, or characteristic described in connection with an embodiment is included in at least one embodiment of the present invention. Thus, discussion of the features and advantages, and similar language, throughout this specification may, but do not necessarily, refer to the same embodiment.
Furthermore, the described features, advantages, and characteristics of the invention may be combined in any suitable manner in one or more embodiments. One skilled in the relevant art will recognize that the invention may be practiced without one or more of the specific features or advantages of a particular embodiment. In other instances, additional features and advantages may be recognized in certain embodiments that may not be present in all embodiments of the invention.
BRIEF DESCRIPTION OF THE DRAWINGS
Embodiments of the present invention will now be described, by way of example only, and with reference to the following drawings:
Figure 1 is a schematic block diagram illustrating a storage device in accordance with one embodiment of the present invention;
Figure 2 is a schematic block diagram illustrating Logical Block Addressing in accordance with the prior art;
Figure 3 is a schematic block diagram illustrating a control module in accordance with one embodiment of the present invention;
Figure 4 is a schematic block diagram illustrating a plurality of protection states in accordance with one embodiment of the present invention;
Figure 5 is a schematic block diagram illustrating a mode select command in accordance with one embodiment of the present invention;
Figure 6 is a schematic block diagram illustrating a mode sense command in accordance with one embodiment of the present invention;
Figure 7 is a schematic block diagram illustrating a mode page in accordance with one embodiment of the present invention;
Figure 8 is a schematic flow chart diagram illustrating a method for implementing allowable protection state transitions in accordance with one embodiment of the present invention;
Figure 9 is a schematic flow chart diagram illustrating one embodiment of a method for the processing of write commands;
Figure 10 is a schematic block diagram illustrating a write command in accordance with one embodiment of the present invention;
Figure 11 is a schematic block diagram illustrating a medium partition mode page in accordance with one embodiment of the present invention; and
Figure 12 is a schematic block diagram illustrating a method for protecting the control module 106 from intentional corruption of storage devices in accordance with one embodiment of the present invention.
DETAILED DESCRIPTION OF THE INVENTION
Many of the functional units described in this specification have been labeled as modules, in order to more particularly emphasize their implementation independence. For example, a module may be implemented as a hardware circuit comprising custom VLSI circuits or gate arrays, off-the-shelf semiconductors such as logic chips, transistors, or other discrete components. A module may also be implemented in programmable hardware devices such as field programmable gate arrays, programmable array logic, programmable logic devices or the like.
Modules may also be implemented in software for execution by various types of processors. An identified module of executable code may, for instance, comprise one or more physical or logical blocks of computer instructions which may, for instance, be organized as an object,
procedure, or function. Nevertheless, the executables of an identified module need not be physically located together, but may comprise disparate instructions stored in different locations which, when joined logically together, comprise the module and achieve the stated purpose for the module.
Indeed, a module of executable code may be a single instruction, or many instructions, and may even be distributed over several different code segments, among different programs, and across several memory devices. Similarly, operational data may be identified and illustrated herein within modules, and may be embodied in any suitable form and organized within any suitable type of data structure. The operational data may be collected as a single data set, or may be distributed over different locations including over different storage devices, and may exist, at least partially, merely as electronic signals on a system or network.
Reference throughout this specification to "one embodiment," "an embodiment, " or similar language means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of the phrases "in one embodiment, " "in an embodiment, " and similar language throughout this specification may, but do not necessarily, all refer to the same embodiment.
Reference to a signal bearing medium may take any form capable of generating a signal, causing a signal to be generated, or causing execution of a program of machine-readable instructions on a digital processing apparatus. A signal bearing medium may be embodied by a transmission line, a compact disk, digital-versatile disk, a magnetic tape, a Bernoulli drive, a magnetic disk, a punch card, flash memory, integrated circuits, or other digital processing apparatus memory device.
Furthermore, the described features, structures, or characteristics of the invention may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided, such as examples of programming, software modules, user selections, network transactions, database queries, database structures, hardware modules, hardware circuits, hardware chips, etc., to provide a thorough understanding of embodiments of the invention. One skilled in the relevant art will recognize, however, that the invention may be practiced without one or more of the specific details, or with other
methods, components, materials, and so forth. In other instances, well-known structures, materials, or operations are not shown or described in detail to avoid obscuring aspects of the invention.
Figure 1 is a schematic block diagram illustrating a storage device 100 in accordance with one embodiment of the present invention. The storage device 100 may comprise an enclosure 102, storage media 104, a control module 106 and a communication interface 108. The storage media 104 may include, but is not limited to, magnetic, optical, and solid state storage media. Examples of magnetic storage media 104 include, but are not limited to, hard disk drives, and tape drives. The communication interface 108 may include, but is not limited to, HVD or LVD SCSI, fiber channel, ESCON, FICON and RS-232.
Examples of optical media include DVD-R (Digital Versatile Disk -
Write Once) , DVD-RW (DVD Rewritable) , DVD-RAM (DVD Random Access Memory) , HD-DVD (High Definition DVD), Blu-Ray, UDO (Ultra Density Optical), CD-R (Compact Disk - Write Once) , CD-RW (CD Rewritable) , magneto-optical (MO) , phase change (PC), holographic, and the like. Examples of solid state storage media include volatile memory such as SDRAM, and non-volatile memory such as flash memory.
The control module 106 is configured to receive input and output requests (hereinafter "I/O requests or commands) through the communication interface 108 from a host and subsequently perform the I/O request. The control module 106 may be operatively coupled with the storage media 102 within the enclosure 102. Alternatively, the control module 106 may be configured to control a plurality of storage media 104 over a network. One such implementation includes a storage area network (not shown) .
The control module 106 is configured to execute I/O requests, or read/write commands, that access the smallest unit of storage of the storage media 104. In one embodiment, the smallest unit of storage is the Logical Block Address (LBA) . Logical block addressing translates physical locations of the storage media into addresses that can be used by the host. For example, logical block addressing translates the cylinder, head, and sector specifications of a hard disk drive into addresses that can be used by an operating system or basic input/output system (BIOS) .
In a further embodiment, the control module 106 may connect to a host via a communication link and similarly to the storage media 104. As
described above, the storage media 104 may comprise disk drives, tape drives, and/or optical drives via an alternative communication link. The communication interface 108 is further configured to receive the I/O request and pass the I/O request to the control module. The control module 106 may be configured to perform protocol conversion from ESCON to SCSI or from FICON to SCSI. Furthermore, it may be configured to group the attached storage media 104 into logical drives or volumes. The control module 106 may also offer advanced functions, such as Remote Volume Mirroring, PPRC (Peer-to-Peer Remote Copy) , XRC (Extended Remote Copy) , Snapshot, Flashcopy, etc.
Figure 2 is a schematic block diagram illustrating Logical Block Addressing 200 in accordance with the prior art. Logical block addressing 200 may be used in fixed block architecture (FBA) systems such as hard disk drives, optical disk drives, and removable storage drives. InFBA peripherals, I/O is done by executing read/write commands that access the LBA. A LBA references a fixed amount of data.
Storage media 104 may comprise millions of LBAs, depending upon the capacity of the storage media. Figure 2 illustrates a plurality of LBA, each LBA represented as a single box 202. As is well known to those skilled in the art, LBA may be written in any order, and need not be written sequentially from a first LBA 202a, to a last LBA 202b.
The last LBA 202b may also be called the maximum LBA. The capacity of the storage media 104 disk drive is determined by the number of LBAs on the medium and the fixed size of the LBAs 202. For example, assuming a typical LBA size of 512 bytes, a hard disk drive with 10, 000, 000 LBAs accounts for a capacity of 5.12 billion bytes.
A partition 204 is an isolated portion of the storage media 104 that may behave as a separate storage media 104. The partition 204 comprises at least one LBA 202. For example, partition 204a may comprise three LBAs 202, while partition 204b comprises one LBA 202, and partition 204c comprises two LBAs 202. Alternatively, the partition 204 may comprise millions of LBAs 202. Storage media 104 may comprise multiple partitions with each partition 204 having a different protection state. In a further embodiment, partitions 204 never overlap, meaning that any two partitions do not contain the same LBA 202.
Figure 3 is a schematic block diagram illustrating the control module 106 in accordance with one embodiment of the present invention. The control module 106, in one embodiment, comprises a communication module 302, a write module 304, a parse module 306, a protection module 308, and a check module 310. The communication module 302 is configured to communicate with the host via the communication interface 108 in order to receive read/write commands and subsequently pass write commands to the write module 304 or return data to the host as a result of a read command.
In a further embodiment, the parse module 306 is configured to extract logical block addresses and protection statuses from the read/write command. The check module 310 is configured to verify the protection status of partitions 204 and LBAs 202 of the storage media 104. The protection module 308 is configured with a plurality of protection states and allowable transitions between the protection states. The protection module 308 will be discussed in greater detail below with reference to Figure 4. The write module 304 is configured to write data to the storage media 104 and perform protection status transitions.
Figure 4 is a schematic block diagram illustrating a plurality of protection states in accordance with one embodiment of the present invention. In one embodiment, the protection states may implemented within the protection module 308. The protection module 308 may comprise an unprotected state 402, a Write Once Read Many (WORM) protected state 404, an auto-protected state 406, and a read-only auto-protected state
(hereinafter "read-only state") 408. The unprotected state 402 may be the default factory setting for the entire storage media 104, and allows the performance of an indefinite and repeated number of read/write operations to any LBA 202.
This unprotected state 402 remains set for those areas on the storage media 104 that are not explicitly configured with the WORM state 404 or the auto-protected state 406. The WORM state 404 is configured to protect any partition 204 associated with "WORM Protected" from any attempted write, erase, or format operation. The auto-protected state 406 allows any LBA 202 in an "auto-protected" partition 204 to be written exactly once, and after successfully completing the write operation the LBAs 202 will automatically transition to the "read-only auto-protect" state 408. The remaining LBAs 202 in the partition that have not been written will remain in auto-protected state 406. The read-only
auto-protect state 408 is configured to prevent any write, erase, and format operations once the LBA 202 has been written.
Arrows 412 represent rules illustrating allowable state transitions of the protection state for a partition 204. For example, the protection module 308 is configured to allow a partition 204 having an unprotected state 402 to allow rewriting of the data as indicated by arrow 412a. The unprotected state 402 may be transitioned 412b to a WORM protected state 404 by issuing an appropriate state transition command which will be explained below. Alternatively, the unprotected state may also be changed 412c to the auto-protected state 406 as a result of a state transition command. As illustrated, the WORM protected state 404 may be configured to not allow any state transitions.
The auto-protected state 406 may be configured to allow exactly one successful write command to be issued to the partition 204. When a write command has been successfully processed, the protection state for an auto-protected partition 406 will transition 412d to the read-only auto-protected state 408. While there are unwritten LBAs 202, the written LBAs 202 are marked as read-only auto protected 408, while the unwritten LBAs 202 remain in the auto-protected state 406. Once all LBAs 202 in an auto-protected partition have been written, all LBAs 202 within the partition become 412e WORM protected 404.
In a further embodiment, a partition with the auto-protected state 406 may also be changed to the unprotected state 402 by sending an appropriate state transition command 412f. This, for example, enables correction of unwanted state changes, e.g. if the state of a partition has been set from unprotected to auto-protected by mistake.
Once a partition is in the WORM protected state 404 or read-only auto-protected state 408, the data cannot be overwritten, deleted or otherwise manipulated. Furthermore, the WORM protection state 404 and the read-only auto-protected state 408 cannot be reset once assigned. This means that any I/O requests for write, erase or format operations addressing any LBA pertaining to WORM protection state 404 or read-only auto-protected state are rejected by the control module 106. In a further embodiment, a LBA 202 in an auto-protected 406 partition remains auto-protected until it is written. If at least one LBA 202 within the auto-protected 406 partition has been written the partition changes to read-only auto-protected 408. If the last LBA 202 in an auto-protected
partition 406 is written, the read-only auto-protected 408 partition will transition to a WORM 404 protected partition.
In one embodiment, the protection states 402, 404, 406, 408 may be represented in inquiry commands as binary values, denoted by a b suffix, or decimal values (shown in parentheses) . For example, the unprotected state 402 may be represented as 00b (0 decimal), the WORM state 404 may be represented as 01b (1 decimal), the auto-protected state 406 may be represented as 10b (2 decimal) , and the read-only auto protected state 408 may be represented as lib (3 decimal) .
In a further embodiment, the protection module 308 includes a virtually deleted protected state (not shown) . This virtually deleted state may be configured to denote that the WORM or auto-protected data has been "virtually deleted." The virtually deleted data would still be read-accessible by the host for historical purposes, but the data would be earmarked as "virtually deleted" for whatever reason, such as the data is considered out-of-date or no longer relevant.
Figure 5 is a schematic block diagram illustrating one embodiment of a mode select command 500 in accordance with the SCSI-3 Interface Standard. The illustrated mode select command 500 is the SCSI (Small Computer System Interface) command with command code 15h 502. The mode select command 500 is given herein by way of example for a state transition command. For example, the mode select command 500 may be used to initiate the transition 412b from an unprotected state 402 to WORM protected state 404 or 412c from unprotected state 402 to auto-protected state 406 or 412f from auto-protected state 406 to unprotected state 402. The mode select command 500 may be initiated by the host system (subsequently also called initiator) and received by the control module 106 via the communication interface 108 of the storage device 100. Mode select command 500 with command code 15h 502 provides a means for the host to specify the parameter list length 504 and logical unit 506 of the target storage device. The parameter list length 504 specifies the size of the mode page to be transferred in bytes. The Mode Select command 500 is always succeeded by a mode page sent from the host system to the storage device 100.
Figure 6 is a schematic block diagram illustrating a mode sense command 600 in accordance with one embodiment of the present invention. The mode sense command 600 allows the host to retrieve or inquire mode
page information, such as from a mode page from the storage device 100. The mode sense command 600 may be initiated by the host system (subsequently also called initiator) and received by the control module 106 via the communication interface 108 of the storage device 100. The command code 602 of the SCSI Mode Sense command is IAh. The mode sense command 600 allows the host to specify a page code 604, and an allocation length 606, which in turn specifies the maximum returned data size. Page code 604 specifies the page code of the mode page to be retrieved, and logical unit 608 of the target storage device. The allocation length specifies the length of the mode page. As a result of the mode sense command 600 the storage device receiving it will return the appropriate mode page.
Figure 7 is a schematic block diagram illustrating a mode page 700 in accordance with one embodiment of the present invention. Allocation length 606 of Figure 6 specifies the number of bytes to be transferred from the storage media 104 to the host as result of the mode sense command 600, this is the size of the mode page 700. In one embodiment, the mode sense command 600 will allow the host to obtain the protection state of a partition or an individual LBA.
The mode page 700, sent by storage device as a response to the mode sense command 600, allows the host system to inquire the state of a partition or LBA. Not all fields in the mode page 700 are used by the mode sense command. For example if the mode sense command 600 field 604 is set to ODh specifying for mode page code ODh the storage device may return the mode page 700 with the following characteristic: field 702 is set to ODh, field 704 is set to 17h, field 705 is set to 1 if the storage device is capable of supporting WORM partitions, field 706 is set to 1 if at least one protected partition is activated, field 708 return the number of protected partitions which exist within the storage device, field 710 returns the number of the partition where the subsequent fields 711, 712 and 713 apply to, field 711 specifies the start address (or LBA) of the partition, field 712 outlines the end address of the partition and field 713 returns the protection status of that partition state which is one of unprotected 00b, WORM protected 01b, auto-protected 10b or read-only auto-protected lib. In this sequence the storage device will return the mode page 700 multiple times for each partition which is configured.
The mode select and mode sense command can be used in combination to make an inquiry of the protection parameters such as the starting and ending address (LBA) and protection state of a particular partition. The
sequence starts with sending a mode select command 500 specifying 15h in field 502 and 17h in field 504 and the logical unit address of the storage device in field 506. Subsequently mode page 700 is sent with field 710 set to the number of the partition for which the information is requested, and all other fields in mode page 700 are set to 0Oh indicating that this is not a state transition. These two commands are sent from the host (initiator) to the storage device.
In one embodiment, the host then sends a mode sense command 600 with field 602 set to IAh, field 604 set to ODh and field 606 set to 17h indicating the expected length of the mode page. Field 608 is set to the address of the storage device. As a response to this command sequence the storage device returns mode page 700 where field 702 is set to ODh, field 704 is set to 17h, field 705 is set to 1 if the storage device is capable of supporting WORM partitions, field 706 is set to 1 if at least one protected partition is activated, field 708 returns the number of protected partitions which exist within the storage device, and field 710 returns the number of the partition for which the information is requested. In one embodiment, this number may be the same number which was sent previously. Field 711 specifies the start address (or LBA) of the partition, field 712 outlines the end address of the partition and field 713 returns the protection status of that partition state which is one of unprotected 00b, WORM protected 01b, auto-protected 10b or read-only auto-protected lib.
According to the SCSI standard, the mode pages are used bidirectionally between the storage device and the host system. In this invention, the host system uses the mode page 700 in association with a MODE SELECT command to initiate a state transition. The host system also uses this mode page 700 in association with a MODE SENSE command to inquiry the status of a partition or LBA. The storage device derives the protection state for the partition (s) from the mode page. Therefore the mode pages are stored in the storage device. There are usually multiple mode pages, and each mode page has a unique page code. The page code for the protected partition mode page is exemplary set to ODh.
The page code 702 indicates that a protected partition is to be set. This is the unique page code which is used by the host system to initiate state transitions or inquiry state transitions. The page code of the protected partition mode page is exemplary set to ODh. The field 704 or the mode page 700 defines the length of this mode page in bytes, for this
example it is set to 25 bytes. The field WORM 705 indicates whether or not the WORM Protection Mechanism is supported by the product and is only used for to inquiry protection states. The field Act 706 indicates at least one Protected Partition is activated. This field is also used with an inquiry command operation. If this field is set to "0" there are no protected partitions set. Otherwise, there are protected partitions set on this disk drive .
The field Maximum Number of Partitions 708 denotes the maximum number of partitions, that can be configured with a start and end address, e.g. an LBA address. This field is used with the inquiry operation. This is a product specific value and is usually assigned during manufacturing of the storage device. This value must not exceed FFFEh. With the field protected partition 710 an existing partition can be specified. Setting this field to a value of "0" specifies all partitions. A value of FFFFh indicates that the information for a particular LBA as specified in field 711 is to be returned.
The starting boundary 711 indicates the LBA at which this partition subject to the state transition or inquiry operation starts. The ending boundary 712 specifies at which LBA this partition subject to the state transition or inquiry operation ends. The field 711 and 712 shall be greater than 0 and the ending boundary 712 must be equal or greater than the Starting boundary 711. The protection status 713 specifies the protection status for this partition state which is one of either unprotected 00b, WORM protected 01b, auto-protected 10b or read-only auto-protected lib.
As outlined earlier, a protection status may be configured for a single LBA or a range of LBA based on the allowable transitions in figure 4. Every consecutive series of LBAs that are to be associated with a protection status of either 00b, 01b, 10b, or lib is a protected partition. Hence, a protected partition may consist of any number of LBAs, from 1 to the maximum number of LBAs on the medium.
In one embodiment, the control module 106 is configured to receive existing SCSI commands, such as mode select 500 and mode sense 600 in order to create partitions with a WORM protected state 404 or auto-protected state 406, or retrieve the partition state that may be an unprotected state 402, a WORM protected state 404, an auto-protected state 406 or a read-only auto-protected state 408. The mode page 700 includes
information 710, 711, 712, 713 about a partition and the protection parameters such as the range of LBAs and protection status to be set. The protection module 308 may be configured to utilize the allowable states 402, 404, 406, 408 in accordance with the creation and manipulation of partitions.
Figure 7 gives by way of example mode page 700 code ODh 702 as one embodiment to implement the present invention. Alternatively, one skilled in the art of SCSI commands will recognize that a different page code of a reserved and not used mode page according to the SCSI standard may also be used. The mode page 700 is used bidirectional between the storage device 100 and the host. The host may utilize the mode page 700 in association with a mode select 500 command to create partitions, i.e. "to select the mode." The host uses this mode page 700 in association with a mode sense 600 command to specify a partition for which the protection state 402,
404, 406, 408 is to be retrieved. The control module 106 may also use the mode page 700 to obtain the data residing in the partition and the corresponding protection state 402, 404, 406, 408 and also to return it when requested to the host.
The schematic flow chart diagrams that follow are generally set forth as logical flow chart diagrams. As such, the depicted order and labeled steps are indicative of one embodiment of the presented method. Other steps and methods may be conceived that are equivalent in function, logic, or effect to one or more steps, or portions thereof, of the illustrated method. Additionally, the format and symbols employed are provided to explain the logical steps of the method and are understood not to limit the scope of the method. Although various arrow types and line types may be employed in the flow chart diagrams, they are understood not to limit the scope of the corresponding method. Indeed, some arrows or other connectors may be used to indicate only the logical flow of the method. For instance, an arrow may indicate a waiting or monitoring period of unspecified duration between enumerated steps of the depicted method. Additionally, the order in which a particular method occurs may or may not strictly adhere to the order of the corresponding steps shown.
Figure 8 is a schematic flow chart diagram illustrating a method 800 for implementing allowable protection state transitions in accordance with one embodiment of the present invention. The method 800 starts 802 and the communication module 302 of the control module 106 receives 804 the mode select command 500 and the mode page 700 via interface 108. The
parse module 306 then extracts 806 the LBAs and the new protection state from the mode page 700. Extracting 806 the LBAs and the protection state may comprise generating a list of LBAs and the new protection state. The check module 310 then verifies the actual protection states of those LBAs being obtained. In one embodiment, the actual state is the protection state the storage media 104 has associated with each requested LBA. The check module 310 then obtains 808 the actual protection states for the list of LBAs extracted from the command.
The protection module 308 then compares the new protection state with the actual protection state and determines if the status transition is allowable 810. In one embodiment, the allowable transitions are predetermined and defined as described above with reference to Figure 4. If the transition to the new protection state is allowed 810 for each LBA extracted 804 from the mode page, the write module 304 stores 812 the new protection state and the method 800 ends 814 upon the communication module 302 returning a success response to the host. However, if the transition is not allowed 810 for any of the LBAs, the protection module 308 prevents the transition and the communication module 302 returns 813 an error such as a SCSI check condition status to the host. In one embodiment, the error may be an "abnormal end of task," or abend, error message. The method 800 then ends 814.
In one embodiment, the storage media 104 may be configured to store the information given by the mode select command 500 in an internal memory which may be part of the check module 310. For example, with an affordable 1 MB memory chip the information of approximately 40,000 protection partitions may be stored. This internal memory allows a fast access to this data for subsequent operations, such as processing write commands. In a further embodiment, the protection partition information may be periodically written to the reserved area on the storage media 104, typically during idle time.
Figure 9 is a schematic flow chart diagram illustrating one embodiment of a method 900 for the processing of write commands. The method 900 begins 902 and the communication module 302 receives 904 a write command via the communication interface 108. The parse module 306 then obtains 906 all command addresses (LBAs) from the write command such as write command 1000. The command addresses comprise a starting LBA where the data is to be written to, as well as the transfer length, which indicates the number of sequential LBAs to be written. The check module
310 then obtains 908 the actual protection states for the command addresses (LBAs) . The LBAs obtained 906 from the write command 1000 may be referred to as "CMD_LBA." The protection module 308 then compares the addresses from the command with the corresponding protection states on the storage media 104. If the protection module 308 finds that the CMD_LBA correspond 910 to WORM-protected areas or read-only (RO) auto-protected areas, the protection module 308 prevents the write command and the communication module 302 returns 911 an error message, and the method 900 ends 912. In one embodiment, the error message may comprise the abend error message described above.
Alternatively, if the check module 310 finds 910 that all CMD_LBA are assigned to wπteable partitions, then the write module 304 writes 914 the data to the storage media 104. If the write was not successful 916, then the control module 106 starts an error recovery process 918.
Determining the success of a write could be, in one embodiment, made by performing a write-veπfication or reading of the freshly written data. If the write was successful 916 the protection module 308 determines 920 if the freshly written data was written to an auto-protected partition 406. If not, the method 900 ends 912. Alternatively, if so, the write module 304 is configured to determine 922 if the partition is full. The partition is full if all LBAs pertaining to that partition are in state read-only auto-protected 408. This information is obtained from the check module 310.
If the partition is full, the write module 304 changes 924 the protection state of the partition to WORM-protected 404. If the partition is not full, the write module 304 changes 926 the protection status of the ]ust-wπtten LBAs and the partition itself to read-only auto-protect 408. The method 900 then ends 912.
Figure 10 is a schematic block diagram illustrating a write command 1000 having a logical unit number (LUN) 1002 in accordance with one embodiment of the present invention. The write command 1000 may also include a starting LBA 1004, bytes 2-5, and a transfer length 1006, bytes 7-8. In one embodiment, the CMD_LBAs are obtained from the starting LBA 1004 and the transfer length 1006 divided by the LBA size plus one is equivalent to the ending LBA for that write command 1000. In one embodiment, the logical unit numbers 1002 inherent in every SCSI interface may be used to sort rewπteable data from WORM data. For example, rewritable data I/O 402 may be sent across a first logical unit number
(LUN-O) of the communication interface 108 of the storage device 100. Auto-protected 406 data I/O could be sent across LUN-2 of the same communication interface 108 of the same storage device 100. WORM protected 404 I/O could be sent across LUN-3 of the same communication interface 108 of the same storage device 100. Data sent through LUN-O may be saved on a different partition that that of the data of LUN-2 and LUN-3.
In order to maintain the data protection attribute of the protection states 402, 404, 406, 408, certain commands are prohibited. For example, the format unit command and the erase command will not be supported on partitions of the storage media 104 which are in protection state WORM protected 404, auto-protected 406 and read-only auto-protected 408. In general, all commands which would allow changing or deleting the data stored in a WORM protected or read-only auto-protected partition are prohibited and rejected by the storage controller via check condition.
Figure 11 is a schematic block diagram illustrating a medium partition mode page 1100 in accordance with one embodiment of the present invention. Mode page 1100 is designated by page code Hh 1101. The control module 106 may be easily adapted to control single-reel tape cartridges and dual-reel tape cassettes. A tape cartridge or cassette can have multiple partitions which may be managed from the host via mode set commands. Thus for a particular partition on the tape cartridge or cassette, the protection state can be set to (a) unprotected, (b) WORM protected, and (c) auto-protected.
The mode pages may be used to transfer information about the protection state from the host to the tape drive. Figure 11 illustrates the medium partition mode page 1100, according to INCITS T10/1434-D. Two bits 1104, 00b - Hb of the reserved field 1102, which have been previously discussed, can be used to denote the protection state for the partition. In one embodiment, the Medium Format Recognition field 1106 may be used to denote the protection state, especially if tape is being used as the storage medium. Herein a scheme can be incorporated which shows the protection state of a particular partition encoded in the byte and bits. Alternatively, device drivers that convert the SCSI mode sense and mode select commands to ATA or IDE commands, for example, may be developed to extend the present invention to non-SCSI devices.
For stand-alone tape drives, the tape drive may store the protection state for a partition and for each logical block in that partition in the initialization area for each partition of each removable tape cartridge or cassette. In one embodiment, the protection state for each partition may be stored in both the initialization area of the tape cartridge or cassette and in cartridge or enclosure memory.
Figure 12 is a schematic block diagram illustrating one embodiment of a method 1200 for protecting the control module 106 from intentional corruption of storage devices 100. An example of intentional corruption of storage devices 100 would be someone intentionally taking out a disk pertaining to a WORM protected entity and modifying the data contained within. In one embodiment, the method 1200 starts 1202 and the control module 106 detects 1204 that storage media 104 is broken.
Upon detecting 1204 a storage media 104 failure, the control module 106 is configured to start 1206 appropriate error recovery and posts an error message If no failure has been detected 1204 the method 1200 continuously checks for disk failures. One example of an appropriate error recovery in a RAID system is, for example, to rebuild the RAID.
When the disk drive has been replaced 1208, the control module 106 checks 1210 whether the same disk has been inserted again, as this could point to intentional manipulation, where someone removes the disk, manipulates it and re-inserts it. In one embodiment, checking 1210 for the same disk comprises comparing the unique serial number and manufacturer ID of the storage device 100. If the disk is not the same disk as was previously removed, the control module 106 considers this a new disk and integrates 1216 the disk.
If the disk is 1210 the same disk as before the control module obtains 1212 the passwords to override the protection. The password must be entered by the user that inserted the disk. If the passwords are not correct 1214 the control module 106 increments 1220 a counter. The counter is configured to maintain the number of incorrect password attempts. If the counter is greater 1222 than a predefined maximum, the control module 106 will isolate the storage media 104 and return 1224 an error state. The error may denote a state where an unauthorized attempt to manipulate the data has been detected and eliminated. If the counter is not greater 1222 than the maximum, the control module 106 again attempts to obtain the password 1212 from the user.
When the passwords are validated 1214, the control module 106 will integrate 1216 the disk. For example, in the case of an RAID array a rebuild will start. If the disk is the same as before the controller module 106 will attempt to perform diagnostics with the disk and scan the medium for possible defects. If no defects are found the data of the disk is considered valid and so the integration might not require a rebuild. However, if the disk is 1210 not the same, the control module 106 integrates 1216 the disk and considers it a new empty disk. This will require a rebuild. The method 1200 then ends 1226.
The present invention may be embodied in other specific forms without departing from its spirit or essential characteristics. For example, the SCSI commands described herein could be implemented over a Fibre Channel ("FC") physical layer. Alternately, other protocols, such as FICON, Ethernet, Gigabit Ethernet, Infiniband, TCP/IP, iSCSI, ATA, SATA, and the like, could be used without limitation. The described embodiments are to be considered in all respects only as illustrative and not restrictive. The scope of the invention is, therefore, indicated by the appended claims rather than by the foregoing description. All changes which come within the meaning and range of equivalency of the claims are to be embraced within their scope.
Claims
1. An apparatus to implement protected partitions in storage media, the apparatus comprising:
a control module configured to communicate with a host device and receive read and write commands for a storage device having at least one partition;
the control module located within an enclosure housing the storage device; and
a protection module operating within the control module and configured to maintain a plurality of protection states for the partition and a plurality of allowable transitions between the protection states.
2. The apparatus of claim 1 , further comprising a check module configured to verify the protection status of partitions and logical block addresses of the storage device.
3. The apparatus of claim 1 or 2, further comprising a parse module configured to extract the logical block addresses and protection statuses from the read and write command.
4. The apparatus of claim 1, 2 or 3 further comprising a write module configured to write data to the storage device and perform protection status transitions of the partition.
5. The apparatus of any preceding claim, wherein the plurality of protection states comprise:
an unprotected state configured to allow the performance of an indefinite number of read/write operations;
a Write Once Read Many (WORM) protected state configured to protect the partition from any attempted write, erase, and format command;
an auto-protected state configured to allow exactly one write operation and subsequently convert to a read-only auto-protect state; and the read-only auto-protected state configured to prevent write, erase, and format command once data has been written to the partition.
6. The apparatus of any preceding claim, wherein the plurality of allowable transitions comprise:
a transition from the unprotected state to one of the unprotected state for normal read/write operation, the auto-protected state, and the WORM protected state;
a transition from the auto-protected state to one of the unprotected state or the read-only auto-protected state; and
a transition from the read-only auto-protected state to the WORM protected state.
7. The apparatus of any preceding claim, wherein the storage device is selected from the group comprising hard disk drives, DVD-R, DVD-RW, DVD-RAM, HD-DVD, Blu-Ray, UDO, CD-R, CD-RW, magneto-optical, phase change, holographic, tape cartridge drives, tape cassette drives, and solid-state media.
8. The apparatus of any preceding claim, wherein the partition further comprises at least one unit of storage of fixed size.
9. The apparatus of claim 8, wherein the unit of storage comprises a logical block address (LBA) .
10. The apparatus of any of claims 1 to 7, wherein the partition further comprises at least one unit of storage of variable size.
11. A system to implement protected partitions in storage media, the system comprising:
a host device;
a storage device coupled with the host, the storage device comprising an enclosure having storage media and a control module;
the control module configured to communicate with the host device and receive read and write commands for a storage device having at least one partition; the control module located within the enclosure; and
a protection module operating within the control module and configured to maintain a plurality of protection states for the partition and a plurality of allowable transitions between the protection states.
12. The system of claim 11, further comprising a check module configured to verify the protection status of partitions and logical block addresses of the storage device.
13. The system of claim 11 or 12, further comprising a parse module configured to extract the logical block addresses and protection statuses from the read and write command.
14. The system of claim 11,12 or 13, further comprising a write module configured to write data to the storage device and perform protection status transitions of the partition.
15. The system of any of claims 11 to 14, wherein the plurality of protection states comprise:
an unprotected state configured to allow the performance of an indefinite number of read/write operations;
a Write Once Read Many (WORM) protected state configured to protect the partition from any attempted write, erase, and format command;
an auto-protected state configured to allow exactly one write operation and subsequently convert to a read-only auto-protect state; and
the read-only auto-protected state configured to prevent write, erase, and format command once data has been written to the partition.
16. The system of any of claims 11 to 15, wherein the plurality of allowable transitions comprise:
a transition from the unprotected state to one of the unprotected state for normal read/write operation, the auto-protected state, and the WORM protected state; a transition from the auto-protected state to one of the unprotected state or the read-only auto-protected state; and
a transition from the read-only auto-protected state to the WORM protected state.
17. The system of any of claims 11 to 16, wherein the storage device is selected from the group comprising hard disk drives, DVD-R, DVD-RW, DVD-RAM, HD-DVD, Blu-Ray, UDO, CD-R, CD-RW, magneto-optical, phase change, holographic, tape cartridge drives, tape cassette drives, and solid-state media.
18. The system of any of claims 11 to 17, wherein the partition further comprises at least one unit of storage of fixed size.
19. The system of claim 18, wherein the unit of storage comprises a logical block address (LBA) .
20. The system of any of claims 11 to 17, wherein the partition further comprises at least one unit of storage of variable size.
21. A signal bearing medium tangibly embodying a program of machine-readable instructions executable by a digital processing apparatus to perform an operation to implement protected partitions in storage media, the operation comprising:
communicating with a host device and receiving read and write commands for a storage device having at least one partition; and
maintaining a plurality of protection states for the partition and a plurality of allowable transitions between the protection states on a control module located within the storage device.
22. The signal bearing medium of claim 21, wherein the instructions further comprise an operation to verify the protection status of partitions and logical block addresses of the storage device.
23. The signal bearing medium of claim 21 or 22, wherein the instructions further comprise an operation to extract the logical block addresses and protection statuses from the read and write command.
24. The signal bearing medium of claim 21, 22 or 23 wherein the instructions further comprise an operation to write data to the storage device and perform protection status transitions of the partition.
25. The signal bearing medium of any of claims 21 to 24, wherein the instructions further comprise an operation to allow transitions from:
the unprotected state to one of the unprotected state for normal read/write operation, the auto-protected state, and the WORM protected state;
the auto-protected state to one of the unprotected state or the read-only auto-protected state; and
the read-only auto-protected state to the WORM protected state.
26. A method for implementing protected partitions in storage media, the method comprising:
communicating with a host device and receiving read and write commands for a storage device having at least one partition; and
maintaining a plurality of protection states for the partition and a plurality of allowable transitions between the protection states on a control module located within the storage device.
27. The method of claim 26, wherein the method comprises verifying the protection status of partitions and logical block addresses of the storage device .
28. The method of claim 26 or 27, wherein the method comprises extracting the logical block addresses and protection statuses from the read and write command.
29. The method of claim 26, 27 or 28 wherein the method comprises writing data to the storage device and performing protection status transitions of the partition.
30. The method of any of claims 26 to 29, wherein the method comprises allowing transitions from: the unprotected state to one of the unprotected state for normal read/write operation, the auto-protected state, and the WORM protected state;
the auto-protected state to one of the unprotected state or the read-only auto-protected state; and
the read-only auto-protected state to the WORM protected state.
31. An apparatus to implement protected partitions in storage media, the apparatus comprising:
means for communicating with a host device and receiving read and write commands for a storage device having at least one partition; and
means for maintaining a plurality of protection states for the partition and a plurality of allowable transitions between the protection states on a control module located within the storage device.
32. A computer program comprising program code means adapted to perform the method of any of claims 26 to 30 when said program is run on a computer .
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2006800392374A CN101292219B (en) | 2005-10-21 | 2006-10-16 | Apparatus, system, and method for implementing protected partitions in storage media |
EP06807301A EP1949212A2 (en) | 2005-10-21 | 2006-10-16 | Apparatus, system, and method for implementing protected partitions in storage media |
JP2008536037A JP4900845B2 (en) | 2005-10-21 | 2006-10-16 | Apparatus, system, and method for implementing protected partitions in storage media |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/255,551 | 2005-10-21 | ||
US11/255,551 US7694096B2 (en) | 2005-10-21 | 2005-10-21 | Apparatus, system, and method for implementing protected partitions in storage media |
Publications (2)
Publication Number | Publication Date |
---|---|
WO2007045630A2 true WO2007045630A2 (en) | 2007-04-26 |
WO2007045630A3 WO2007045630A3 (en) | 2007-06-07 |
Family
ID=37517178
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/EP2006/067446 WO2007045630A2 (en) | 2005-10-21 | 2006-10-16 | Apparatus, system, and method for implementing protected partitions in storage media |
Country Status (6)
Country | Link |
---|---|
US (1) | US7694096B2 (en) |
EP (1) | EP1949212A2 (en) |
JP (1) | JP4900845B2 (en) |
CN (1) | CN101292219B (en) |
TW (1) | TWI399646B (en) |
WO (1) | WO2007045630A2 (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2009129453A (en) * | 2007-11-19 | 2009-06-11 | Lenovo (Beijing) Co Ltd | Hard disk data protection device, hard disk, computer, and hard disk data protection method |
WO2011023610A1 (en) * | 2009-08-27 | 2011-03-03 | International Business Machines Corporation | Data storage drive overwrite protection of non-worm cartridges |
US9406334B2 (en) | 2011-10-14 | 2016-08-02 | International Business Machines Corporation | Method of detecting tampering of data in tape drive, and file system |
Families Citing this family (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008008326A2 (en) * | 2006-07-10 | 2008-01-17 | Wms Gaming Inc. | Partition management in a wagering game system |
US8291179B2 (en) * | 2007-10-05 | 2012-10-16 | Imation Corp. | Methods for implementation of worm enforcement in a storage system |
US8171244B2 (en) | 2008-02-01 | 2012-05-01 | Imation Corp. | Methods for implementation of worm mode on a removable disk drive storage system |
US9405931B2 (en) | 2008-11-14 | 2016-08-02 | Dell Products L.P. | Protected information stream allocation using a virtualized platform |
US8725780B2 (en) * | 2009-06-12 | 2014-05-13 | Imation Corp. | Methods and systems for rule-based worm enforcement |
US20110145517A1 (en) | 2009-12-10 | 2011-06-16 | International Business Machines Corporation | Dynamic reuse and reconfiguration of logical data objects in a virtual tape system |
CN102436559B (en) * | 2010-09-29 | 2016-06-01 | 联想(北京)有限公司 | A kind of state switching method and system |
US9075723B2 (en) * | 2011-06-17 | 2015-07-07 | International Business Machines Corporation | Efficient discard scans |
US8874799B1 (en) | 2012-03-31 | 2014-10-28 | Emc Corporation | System and method for improving cache performance |
US8914585B1 (en) * | 2012-03-31 | 2014-12-16 | Emc Corporation | System and method for obtaining control of a logical unit number |
US8914584B1 (en) | 2012-03-31 | 2014-12-16 | Emc Corporation | System and method for improving cache performance upon detection of a LUN control event |
US11188270B2 (en) | 2016-05-25 | 2021-11-30 | International Business Machines Corporation | Targeted secure data overwrite |
US20170371573A1 (en) * | 2016-06-24 | 2017-12-28 | Samsung Electronics Co., Ltd. | Method of operating storage medium, method of operating host controlling the storage medium, and method of operating user system including the storage medium and the host |
US10379768B2 (en) * | 2016-09-30 | 2019-08-13 | Intel Corporation | Selective memory mode authorization enforcement |
CN108389600B (en) * | 2017-02-02 | 2021-02-26 | 慧荣科技股份有限公司 | Data storage device and parameter rewriting method |
TWI761915B (en) * | 2017-02-02 | 2022-04-21 | 慧榮科技股份有限公司 | Data storage device and parameter rewrite method thereof |
JP7187362B2 (en) | 2019-03-15 | 2022-12-12 | キオクシア株式会社 | Storage device and control method |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6185661B1 (en) | 1998-01-02 | 2001-02-06 | Emc Corporation | Worm magnetic storage device |
US6229784B1 (en) | 1992-10-05 | 2001-05-08 | Mitsubishi Denki Kabushiki Kaisha | Optical disk having an attribute which designates whether a recording area permits rewriting or not |
US20050235095A1 (en) | 2004-04-14 | 2005-10-20 | Winarski Daniel J | Write-once read-many hard disk drive using a WORM LBA indicator |
Family Cites Families (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5163141A (en) * | 1988-08-01 | 1992-11-10 | Stenograph Corporation | RAM lock device and method for a text entry system |
US5233576A (en) * | 1989-10-25 | 1993-08-03 | Hewlett-Packard Company | Multi-function optical disk drive and media |
JPH0713705A (en) * | 1993-06-16 | 1995-01-17 | Hitachi Ltd | Disk device |
US6233667B1 (en) * | 1999-03-05 | 2001-05-15 | Sun Microsystems, Inc. | Method and apparatus for a high-performance embedded memory management unit |
US6594780B1 (en) * | 1999-10-19 | 2003-07-15 | Inasoft, Inc. | Operating system and data protection |
US6711574B1 (en) * | 2000-02-01 | 2004-03-23 | Emc Corporation | Retrieval of management information |
US7370165B2 (en) * | 2000-12-29 | 2008-05-06 | Valt.X Technologies Inc. | Apparatus and method for protecting data recording on a storage medium |
US6947237B2 (en) * | 2001-10-09 | 2005-09-20 | Hewlett-Packard Development Company, L.P. | WORM magnetic tape with cartridge memory system and method |
US6996744B2 (en) * | 2002-04-04 | 2006-02-07 | Microsoft Corporation | Generating a passcode for resetting a game console |
US6961833B2 (en) * | 2003-01-24 | 2005-11-01 | Kwok-Yan Leung | Method and apparatus for protecting data in computer system in the event of unauthorized data modification |
US20060002246A1 (en) * | 2004-06-30 | 2006-01-05 | International Business Machines Corporation | Sector-based worm implementation on random access memory |
-
2005
- 2005-10-21 US US11/255,551 patent/US7694096B2/en not_active Expired - Fee Related
-
2006
- 2006-10-16 CN CN2006800392374A patent/CN101292219B/en not_active Expired - Fee Related
- 2006-10-16 WO PCT/EP2006/067446 patent/WO2007045630A2/en active Application Filing
- 2006-10-16 JP JP2008536037A patent/JP4900845B2/en not_active Expired - Fee Related
- 2006-10-16 EP EP06807301A patent/EP1949212A2/en not_active Ceased
- 2006-10-19 TW TW095138501A patent/TWI399646B/en not_active IP Right Cessation
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6229784B1 (en) | 1992-10-05 | 2001-05-08 | Mitsubishi Denki Kabushiki Kaisha | Optical disk having an attribute which designates whether a recording area permits rewriting or not |
US6185661B1 (en) | 1998-01-02 | 2001-02-06 | Emc Corporation | Worm magnetic storage device |
US20050235095A1 (en) | 2004-04-14 | 2005-10-20 | Winarski Daniel J | Write-once read-many hard disk drive using a WORM LBA indicator |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2009129453A (en) * | 2007-11-19 | 2009-06-11 | Lenovo (Beijing) Co Ltd | Hard disk data protection device, hard disk, computer, and hard disk data protection method |
WO2011023610A1 (en) * | 2009-08-27 | 2011-03-03 | International Business Machines Corporation | Data storage drive overwrite protection of non-worm cartridges |
US8054572B2 (en) | 2009-08-27 | 2011-11-08 | International Business Machines Corporation | Data storage drive overwrite protection of non-worm cartridges |
GB2485292A (en) * | 2009-08-27 | 2012-05-09 | Ibm | Data storage drive overwrite protection of non-worm cartridges |
CN102483940A (en) * | 2009-08-27 | 2012-05-30 | 国际商业机器公司 | Data storage drive overwrite protection for non-WORM cartridges |
JP2013503409A (en) * | 2009-08-27 | 2013-01-31 | インターナショナル・ビジネス・マシーンズ・コーポレーション | Method, data storage drive, and program for protecting against data overwriting of a rewritable non-WORM data storage cartridge |
CN102483940B (en) * | 2009-08-27 | 2014-12-03 | 国际商业机器公司 | Data cartridge data storage drive and method of data overwrite protection for data storage cartridges |
DE112010003394B4 (en) | 2009-08-27 | 2023-03-23 | International Business Machines Corporation | Overwrite protection of non-worm cartridges for data storage drives |
US9406334B2 (en) | 2011-10-14 | 2016-08-02 | International Business Machines Corporation | Method of detecting tampering of data in tape drive, and file system |
US9753664B2 (en) | 2011-10-14 | 2017-09-05 | International Business Machines Corporation | Method of detecting tampering of data in tape drive, and file system |
DE112012004297B4 (en) | 2011-10-14 | 2023-02-16 | International Business Machines Corporation | Method for detecting data tampering in a tape drive and file system |
Also Published As
Publication number | Publication date |
---|---|
CN101292219B (en) | 2011-12-21 |
CN101292219A (en) | 2008-10-22 |
US7694096B2 (en) | 2010-04-06 |
JP4900845B2 (en) | 2012-03-21 |
TW200739345A (en) | 2007-10-16 |
JP2009512925A (en) | 2009-03-26 |
EP1949212A2 (en) | 2008-07-30 |
US20070094469A1 (en) | 2007-04-26 |
TWI399646B (en) | 2013-06-21 |
WO2007045630A3 (en) | 2007-06-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7631161B2 (en) | Apparatus, system, and method for writing data to protected partitions of storage media | |
US7694096B2 (en) | Apparatus, system, and method for implementing protected partitions in storage media | |
US7685389B2 (en) | Apparatus, system, and method for setting protection states of protected partitions in storage media | |
KR100968318B1 (en) | Dynamic loading of virtual volume data in a virtual tape server | |
JP4266725B2 (en) | Storage system | |
US9164921B2 (en) | Dynamic reuse and reconfiguration of logical data objects in a virtual tape system | |
US8538932B2 (en) | Extended logical worm data integrity protection with unique worm identifier in header and database | |
US7487400B2 (en) | Method for data protection in disk array systems | |
US20060155944A1 (en) | System and method for data migration and shredding | |
US9767117B2 (en) | Method and system for efficient write journal entry management for a distributed file system | |
US20130007361A1 (en) | Selective device access control | |
JP2007140962A (en) | Disk array system and security method | |
US20070206400A1 (en) | Write protection for computer long-term memory devices with write-once read-many blocking | |
US8468176B2 (en) | Extended data storage system | |
JP6764927B2 (en) | Storage systems, storage devices, and how to control storage systems | |
US7197663B2 (en) | Concurrent PPRC/FCP and host access to secondary PPRC/FCP device through independent error management | |
US20060101220A1 (en) | Apparatus and method to validate the configuration of an information storage and retrieval system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 200680039237.4 Country of ref document: CN |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
ENP | Entry into the national phase |
Ref document number: 2008536037 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2006807301 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 2006807301 Country of ref document: EP |